Towards understanding Man-on-the-Side Attacks (MotS) in SCADA networks

Peter Maynard; Kieran McLaughlin

doi:10.5220/0009782302870294

Towards understanding Man-on-the-Side Attacks (MotS) in SCADA networks

Peter Maynard, Kieran McLaughlin

Queen's University Belfast

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

1 Citation (Scopus)

Abstract

We describe a new class of packet injection attacks called Man-on-the-Side (MotS), previously only seen where state actors have “compromised” a number of telecommunication companies. MotS injection attacks have not been widely investigated in scientific literature, despite having been discussed by news outlets and security blogs. MotS came to attention after the Edward Snowden revelations, which described large scale pervasive monitoring of the Internet's infrastructure. For an advanced adversary attempting to interfere with IT connected systems, the next logical step is to adapt this class of attack to a smaller scale, such as enterprise or critical infrastructure networks. MotS is a weaker form of attack compared to a Man-in-the-Middle (MitM). A MotS attack allows an adversary to read and inject packets, but not modify packets sent by other hosts. This paper presents practical experiments where we have implemented and performed MotS attacks against two testbeds: 1) on HTTP connections, by redirecting a victim to a host controlled by an adversary; and 2) on an Industrial Control network, where we inject falsified command responses to the victim. In both cases, the victims accept the injected packets without generating a suspiciously large number of unusual packets on the network. We then perform an analysis of three leading Network Intrusion Detection Systems (IDSs) to determine whether the attacks are detected, and discuss mitigation methods.

Original language	English
Title of host publication	ICETE 2020 - Proceedings of the 17th International Joint Conference on e-Business and Telecommunications
Editors	Christian Callegari, Soon Xin Ng, Panagiotis Sarigiannidis, Sebastiano Battiato, Angel Serrano Sanchez de Leon, Adlen Ksentini, Pascal Lorenz, Mohammad Obaidat, Mohammad Obaidat, Mohammad Obaidat
Publisher	SciTePress
Pages	287-294
Number of pages	8
ISBN (Electronic)	9789897584459
ISBN (Print)	9789897584466
DOIs	https://doi.org/10.5220/0009782302870294
Publication status	Published - 01 Apr 2020
Event	17th International Conference on Security and Cryptography, SECRYPT 2020 - Part of the 17th International Joint Conference on e-Business and Telecommunications, ICETE 2020 - Virtual, Online, France Duration: 08 Jul 2020 → 10 Jul 2020

Publication series

Name	Proceedings of the International Joint Conference on e-Business and Telecommunications
Volume	3
ISSN (Print)	2184-7711

Conference

Conference	17th International Conference on Security and Cryptography, SECRYPT 2020 - Part of the 17th International Joint Conference on e-Business and Telecommunications, ICETE 2020
Country/Territory	France
City	Virtual, Online
Period	08/07/2020 → 10/07/2020

Bibliographical note

Publisher Copyright:
Copyright © 2020 by SCITEPRESS - Science and Technology Publications, Lda. All rights reserved

Keywords

SCADA
ICS
IEC 60870-5-104
Man-in-the-Middle
Man-on-the-Side

ASJC Scopus subject areas

Computer Networks and Communications
Signal Processing
Electrical and Electronic Engineering

Access to Document

10.5220/0009782302870294Licence: CC BY-NC-ND

R1594ECI: Analysing and Detecting Advanced Multistage Attacks Against ICS
McLaughlin, K. (PI)
13/01/2016 → 30/09/2018
Project: Research

Cite this

Maynard, P., & McLaughlin, K. (2020). Towards understanding Man-on-the-Side Attacks (MotS) in SCADA networks. In C. Callegari, S. X. Ng, P. Sarigiannidis, S. Battiato, A. S. S. de Leon, A. Ksentini, P. Lorenz, M. Obaidat, M. Obaidat, & M. Obaidat (Eds.), ICETE 2020 - Proceedings of the 17th International Joint Conference on e-Business and Telecommunications (pp. 287-294). (Proceedings of the International Joint Conference on e-Business and Telecommunications; Vol. 3). SciTePress. https://doi.org/10.5220/0009782302870294

Maynard, Peter ; McLaughlin, Kieran. / Towards understanding Man-on-the-Side Attacks (MotS) in SCADA networks. ICETE 2020 - Proceedings of the 17th International Joint Conference on e-Business and Telecommunications. editor / Christian Callegari ; Soon Xin Ng ; Panagiotis Sarigiannidis ; Sebastiano Battiato ; Angel Serrano Sanchez de Leon ; Adlen Ksentini ; Pascal Lorenz ; Mohammad Obaidat ; Mohammad Obaidat ; Mohammad Obaidat. SciTePress, 2020. pp. 287-294 (Proceedings of the International Joint Conference on e-Business and Telecommunications).

@inproceedings{5a81edd708464121b90d9c7824030745,

title = "Towards understanding Man-on-the-Side Attacks (MotS) in SCADA networks",

abstract = "We describe a new class of packet injection attacks called Man-on-the-Side (MotS), previously only seen where state actors have “compromised” a number of telecommunication companies. MotS injection attacks have not been widely investigated in scientific literature, despite having been discussed by news outlets and security blogs. MotS came to attention after the Edward Snowden revelations, which described large scale pervasive monitoring of the Internet's infrastructure. For an advanced adversary attempting to interfere with IT connected systems, the next logical step is to adapt this class of attack to a smaller scale, such as enterprise or critical infrastructure networks. MotS is a weaker form of attack compared to a Man-in-the-Middle (MitM). A MotS attack allows an adversary to read and inject packets, but not modify packets sent by other hosts. This paper presents practical experiments where we have implemented and performed MotS attacks against two testbeds: 1) on HTTP connections, by redirecting a victim to a host controlled by an adversary; and 2) on an Industrial Control network, where we inject falsified command responses to the victim. In both cases, the victims accept the injected packets without generating a suspiciously large number of unusual packets on the network. We then perform an analysis of three leading Network Intrusion Detection Systems (IDSs) to determine whether the attacks are detected, and discuss mitigation methods.",

keywords = "SCADA, ICS, IEC 60870-5-104, Man-in-the-Middle, Man-on-the-Side",

author = "Peter Maynard and Kieran McLaughlin",

note = "Publisher Copyright: Copyright {\textcopyright} 2020 by SCITEPRESS - Science and Technology Publications, Lda. All rights reserved; 17th International Conference on Security and Cryptography, SECRYPT 2020 - Part of the 17th International Joint Conference on e-Business and Telecommunications, ICETE 2020 ; Conference date: 08-07-2020 Through 10-07-2020",

year = "2020",

month = apr,

day = "1",

doi = "10.5220/0009782302870294",

language = "English",

isbn = "9789897584466",

series = "Proceedings of the International Joint Conference on e-Business and Telecommunications",

publisher = "SciTePress",

pages = "287--294",

editor = "Christian Callegari and Ng, \{Soon Xin\} and Panagiotis Sarigiannidis and Sebastiano Battiato and \{de Leon\}, \{Angel Serrano Sanchez\} and Adlen Ksentini and Pascal Lorenz and Mohammad Obaidat and Mohammad Obaidat and Mohammad Obaidat",

booktitle = "ICETE 2020 - Proceedings of the 17th International Joint Conference on e-Business and Telecommunications",

}

Maynard, P & McLaughlin, K 2020, Towards understanding Man-on-the-Side Attacks (MotS) in SCADA networks. in C Callegari, SX Ng, P Sarigiannidis, S Battiato, ASS de Leon, A Ksentini, P Lorenz, M Obaidat, M Obaidat & M Obaidat (eds), ICETE 2020 - Proceedings of the 17th International Joint Conference on e-Business and Telecommunications. Proceedings of the International Joint Conference on e-Business and Telecommunications, vol. 3, SciTePress, pp. 287-294, 17th International Conference on Security and Cryptography, SECRYPT 2020 - Part of the 17th International Joint Conference on e-Business and Telecommunications, ICETE 2020, Virtual, Online, France, 08/07/2020. https://doi.org/10.5220/0009782302870294

Towards understanding Man-on-the-Side Attacks (MotS) in SCADA networks. / Maynard, Peter; McLaughlin, Kieran.
ICETE 2020 - Proceedings of the 17th International Joint Conference on e-Business and Telecommunications. ed. / Christian Callegari; Soon Xin Ng; Panagiotis Sarigiannidis; Sebastiano Battiato; Angel Serrano Sanchez de Leon; Adlen Ksentini; Pascal Lorenz; Mohammad Obaidat; Mohammad Obaidat; Mohammad Obaidat. SciTePress, 2020. p. 287-294 (Proceedings of the International Joint Conference on e-Business and Telecommunications; Vol. 3).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Towards understanding Man-on-the-Side Attacks (MotS) in SCADA networks

AU - Maynard, Peter

AU - McLaughlin, Kieran

PY - 2020/4/1

Y1 - 2020/4/1

N2 - We describe a new class of packet injection attacks called Man-on-the-Side (MotS), previously only seen where state actors have “compromised” a number of telecommunication companies. MotS injection attacks have not been widely investigated in scientific literature, despite having been discussed by news outlets and security blogs. MotS came to attention after the Edward Snowden revelations, which described large scale pervasive monitoring of the Internet's infrastructure. For an advanced adversary attempting to interfere with IT connected systems, the next logical step is to adapt this class of attack to a smaller scale, such as enterprise or critical infrastructure networks. MotS is a weaker form of attack compared to a Man-in-the-Middle (MitM). A MotS attack allows an adversary to read and inject packets, but not modify packets sent by other hosts. This paper presents practical experiments where we have implemented and performed MotS attacks against two testbeds: 1) on HTTP connections, by redirecting a victim to a host controlled by an adversary; and 2) on an Industrial Control network, where we inject falsified command responses to the victim. In both cases, the victims accept the injected packets without generating a suspiciously large number of unusual packets on the network. We then perform an analysis of three leading Network Intrusion Detection Systems (IDSs) to determine whether the attacks are detected, and discuss mitigation methods.

AB - We describe a new class of packet injection attacks called Man-on-the-Side (MotS), previously only seen where state actors have “compromised” a number of telecommunication companies. MotS injection attacks have not been widely investigated in scientific literature, despite having been discussed by news outlets and security blogs. MotS came to attention after the Edward Snowden revelations, which described large scale pervasive monitoring of the Internet's infrastructure. For an advanced adversary attempting to interfere with IT connected systems, the next logical step is to adapt this class of attack to a smaller scale, such as enterprise or critical infrastructure networks. MotS is a weaker form of attack compared to a Man-in-the-Middle (MitM). A MotS attack allows an adversary to read and inject packets, but not modify packets sent by other hosts. This paper presents practical experiments where we have implemented and performed MotS attacks against two testbeds: 1) on HTTP connections, by redirecting a victim to a host controlled by an adversary; and 2) on an Industrial Control network, where we inject falsified command responses to the victim. In both cases, the victims accept the injected packets without generating a suspiciously large number of unusual packets on the network. We then perform an analysis of three leading Network Intrusion Detection Systems (IDSs) to determine whether the attacks are detected, and discuss mitigation methods.

KW - SCADA

KW - ICS

KW - IEC 60870-5-104

KW - Man-in-the-Middle

KW - Man-on-the-Side

U2 - 10.5220/0009782302870294

DO - 10.5220/0009782302870294

M3 - Conference contribution

AN - SCOPUS:85110903974

SN - 9789897584466

T3 - Proceedings of the International Joint Conference on e-Business and Telecommunications

SP - 287

EP - 294

BT - ICETE 2020 - Proceedings of the 17th International Joint Conference on e-Business and Telecommunications

A2 - Callegari, Christian

A2 - Ng, Soon Xin

A2 - Sarigiannidis, Panagiotis

A2 - Battiato, Sebastiano

A2 - de Leon, Angel Serrano Sanchez

A2 - Ksentini, Adlen

A2 - Lorenz, Pascal

A2 - Obaidat, Mohammad

PB - SciTePress

T2 - 17th International Conference on Security and Cryptography, SECRYPT 2020 - Part of the 17th International Joint Conference on e-Business and Telecommunications, ICETE 2020

Y2 - 8 July 2020 through 10 July 2020

ER -

Maynard P, McLaughlin K. Towards understanding Man-on-the-Side Attacks (MotS) in SCADA networks. In Callegari C, Ng SX, Sarigiannidis P, Battiato S, de Leon ASS, Ksentini A, Lorenz P, Obaidat M, Obaidat M, Obaidat M, editors, ICETE 2020 - Proceedings of the 17th International Joint Conference on e-Business and Telecommunications. SciTePress. 2020. p. 287-294. (Proceedings of the International Joint Conference on e-Business and Telecommunications). doi: 10.5220/0009782302870294

Towards understanding Man-on-the-Side Attacks (MotS) in SCADA networks

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Projects

R1594ECI: Analysing and Detecting Advanced Multistage Attacks Against ICS

Cite this